From b6be89a44f19ab96be9768da9c2dec57deb6596b Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 22 Sep 2021 14:47:12 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fixed=20member=20email=20change?= =?UTF-8?q?=20vulnerability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr This updates the signup/signin flow for members to no longer support the email address change flow - which had missing authentication. It has been replaced with a dedicated email change flow, and Portal has been updated to use it. --- core/frontend/helpers/ghost_head.js | 2 +- core/server/web/members/app.js | 1 + package.json | 2 +- yarn.lock | 8 ++++---- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/core/frontend/helpers/ghost_head.js b/core/frontend/helpers/ghost_head.js index 127d55d67b..7aac563777 100644 --- a/core/frontend/helpers/ghost_head.js +++ b/core/frontend/helpers/ghost_head.js @@ -41,7 +41,7 @@ function getMembersHelper() { const stripeDirectPublishableKey = settingsCache.get('stripe_publishable_key'); const stripeConnectAccountId = settingsCache.get('stripe_connect_account_id'); - let membersHelper = ``; + let membersHelper = ``; membersHelper += (``); if ((!!stripeDirectSecretKey && !!stripeDirectPublishableKey) || !!stripeConnectAccountId) { membersHelper += ''; diff --git a/core/server/web/members/app.js b/core/server/web/members/app.js index 2ec4efb470..5ad8433a19 100644 --- a/core/server/web/members/app.js +++ b/core/server/web/members/app.js @@ -34,6 +34,7 @@ module.exports = function setupMembersApp() { // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`. membersApp.get('/api/member', middleware.getMemberData); membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData); + membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res)); membersApp.get('/api/session', middleware.getIdentityToken); membersApp.delete('/api/session', middleware.deleteSession); membersApp.get('/api/site', middleware.getMemberSiteData); diff --git a/package.json b/package.json index 15f92baabd..981b42bb17 100644 --- a/package.json +++ b/package.json @@ -56,7 +56,7 @@ "@tryghost/kg-markdown-html-renderer": "3.0.0", "@tryghost/kg-mobiledoc-html-renderer": "3.0.1", "@tryghost/magic-link": "0.6.4", - "@tryghost/members-api": "0.37.12", + "@tryghost/members-api": "0.37.13", "@tryghost/members-csv": "0.4.2", "@tryghost/members-ssr": "0.8.8", "@tryghost/mw-session-from-token": "0.1.14", diff --git a/yarn.lock b/yarn.lock index 2bd1a2a9e2..08cd3da3f8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -553,10 +553,10 @@ jsonwebtoken "^8.5.1" lodash "^4.17.15" -"@tryghost/members-api@0.37.12": - version "0.37.12" - resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-0.37.12.tgz#53660d77b2116b991b3e2e9633ec0d9d01d9249a" - integrity sha512-16yLqRLjInmwgEnQe0mSeGj6aM8wch2ZoZEMCuj1aaTdwZExtvtB3qbgX+zYz3Nblr53VdQe9Sz0J4U4IwXDAA== +"@tryghost/members-api@0.37.13": + version "0.37.13" + resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-0.37.13.tgz#fa43449b64ceab645195649066b1fdb748d89f23" + integrity sha512-6d3QDbXaRW4eTnoX5FOqb7JlSiVmm99QHlaygsb3dNYcrT3/q75Ro0TA5KgoTp9x3vde1Gtwr+U76plwGExapQ== dependencies: "@tryghost/magic-link" "^0.6.7" bluebird "^3.5.4"